Monero CLI binaries stole wallet seeds

Monero's official download site failed for a short window on November 18, 2019. A user noticed that the hash of a downloaded CLI wallet archive did not match the signed hash published by the project. The Monero team investigated and warned users not to run binaries downloaded between 02:30 and 16:30 UTC.

The attacker replaced official CLI wallet binaries, not the source tree. The malicious Linux archive carried a modified monero-wallet-cli; Windows CLI binaries were also compromised. The other Monero programs in the archive appeared normal, which kept the change focused on the wallet path.

The modified wallet asked for the password twice and added code paths named around sending the seed to command-and-control infrastructure. During wallet creation, wallet opening, or use of the seed command, the malware transmitted the private seed to node.xmrsupport.co over traffic shaped to resemble Monero daemon RPC.

A stolen seed is the wallet. Attackers could drain funds and inspect transaction metadata available through the wallet keys. Monero moved binaries to a safe source, told users to verify hashes, and advised anyone who had run the compromised binaries to move funds with a verified wallet immediately.

Motive

Cryptocurrency Theft

Attribution

Group

Cause

Website Compromise

Transitive

No

• Warning - The binaries of the CLI wallet were compromised for a short timeweb.getmonero.org
• Monero Windows and Linux CLI Compromised: The Analysis of Binariesserhack.me
• Official Monero website compromised with malware that steals fundszdnet.com
• Official Monero website is hacked to deliver currency-stealing malwarearstechnica.com